ruby1.9 (1.9.0.5-1ubuntu2) lucid; urgency=low * SECURITY UPDATE: arbitrary code execution via string operations - debian/patches/932_CVE-2009-4124.dpatch: calculate lengths properly in string.c, add test in test/ruby/test_string.rb. - CVE-2009-4124 * SECURITY UPDATE: incorrect log file sanitation in WEBrick (LP: #509392) - debian/patches/933_CVE-2009-4492.dpatch: properly escape in lib/webrick/{accesslog.rb,httprequest.rb,httpstatus.rb,httputils.rb}, add test to test/webrick/test_cgi.rb. - CVE-2009-4492 * SECURITY UPDATE: denial of service in BigDecimal library via string argument that represents a large number (LP: #385436) - debian/patches/934_CVE-2009-1904.dpatch: handle large numbers properly in ext/bigdecimal/bigdecimal.c. - CVE-2009-1904 -- Marc Deslauriers Mon, 22 Feb 2010 16:34:02 -0500 ruby1.9 (1.9.0.5-1ubuntu1) karmic; urgency=low * Backported fix for build failure with -D_FORTIFY_SOURCE from upstream. See http://redmine.ruby-lang.org/issues/show/1299 Fixes build failure on i386. -- Lucas Nussbaum Mon, 05 Oct 2009 13:49:40 +0200 ruby1.9 (1.9.0.5-1) unstable; urgency=low [ Daigo Moriwaki ] * debian/watch: corrected to follow the new versioning by the upstream such as 1.9.1-p0.tar.gz * Added debian/patches/090301_r22440_OCSP_basic_verify.dpatch: It did not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate. [CVE-2009-0642] (Closes: #513528) * debian/rules: - fixshebang.sh runs on bash. - The upstream's COPYING* is no longer installed (due to Debian policy). That information is included in debian/copyright. * debian/patches/090803_exclude_rdoc.dpatch: ported from the ruby1.9.1 package. * debian/control: Added misc depends. * debian/compat: Bumpled up the version to 7. [ Lucas Nussbaum ] * New upstream release. + *.inc updated. + no longer needed (were backports): - 101_parse_rb - 103_array_c_r17570_to_r17756 - 301_dns_spoofing_r18424 - 302_r18220_webrick_DoS - 303_r17726_syslog_safeleve4 - 304_r17577_trace_var_safeleve4 - 305_r18496_dl_tain - 306_r17586_methods_called_safelevel13 - 307_r19033_rexml_DoS - 308_regexp_segv - 930_zero_tainted + Refreshed: - 919_common.mk_tweaks + 102_skip_test_copy_stream: file changed upstream, might no longer be needed. * Fix building on lpia (Closes: #532057). * Disable the test suite on hppa since it blocks because of strange signal semantics. (Closes: #514695). * Agree with ftpmaster's overrides. * Bumped Standards-Version to 3.8.2. No changes needed. * Build-Depends on procps. Closes: #510914. * debian/fixshebang.sh: skip non-text files, which works around hanging of sed on scanning gif images. * Added 940_test_file_exhaustive_fails_as_root and 940_test_priority_fails to deal with test suite failures. * Added patch 940_test_thread_mutex_sync_shorter: makes test_mutex_synchronize much shorter to deal with slow arches. Closes: #514696. * Removed Fumitoshi UKAI from Uploaders. Thanks a lot for the past help! Closes: #541026. -- Daigo Moriwaki Sat, 22 Aug 2009 09:55:25 +0900 ruby1.9 (1.9.0.2-9.1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Add upstream patch to properly check return values of the OCSP_basic_verify function (CVE-2009-0642; Closes: #513528) -- Nico Golde Mon, 06 Apr 2009 18:43:32 +0200 ruby1.9 (1.9.0.2-9) unstable; urgency=high * fixes regression: - 307_r19033_rexml_DoS.dpatch: fixed DoS vulnerability in REXML. (ref: #502535) * added patch: 308_regexp_segv avoid segmentation fault in Regexp#inspect. (backported r19384, r19433 and r20243 of upstream trunk.) * debian/rules: copy debian/generated-incs/*.inc without "-p" option to avoid re-generate incs. -- akira yamada Tue, 02 Dec 2008 14:39:22 +0900 ruby1.9 (1.9.0.2-8) unstable; urgency=high * Added patch: 930_zero_tainted.dpatch backport of upstream r17612. Closes: #501408 (RC bug). -- Lucas Nussbaum Thu, 16 Oct 2008 22:15:33 +0200 ruby1.9 (1.9.0.2-7) unstable; urgency=low * debian/rules: Fixed a FTBFS on hurd-i386: failure of cat /proc/cpuinfo no more stops the build process. (Closes: #497737) -- Daigo Moriwaki Fri, 05 Sep 2008 12:07:57 +0900 ruby1.9 (1.9.0.2-6) unstable; urgency=low * Added patches under debian/patches which were backported from the upstream and fixed multiple vulnerabilities: - 301_dns_spoofing_r18424.dpatch: fixed DNS spoofing vulnerability in resolv.rb. (CVE-2008-1447) - 302_r18220_webrick_DoS.dpatch: fixed DoS vulnerability in WEBrick. - 303_r17726_syslog_safeleve4.dpatch: syslog operations should be protected from $SAFE level 4. - 304_r17577_trace_var_safeleve4.dpatch: rb_f_trace_var should not be allowed at safe level 4. - 305_r18496_dl_tain.dpatch: dl doesn't check taintness, so it could allow attackers to call dangerous functions. - 306_r17586_methods_called_safelevel13.dpatch: Insecure methods may be called at safe level 1-3. (Closes: #494402) - 307_r19033_rexml_DoS.dpatch: fixed DoS vulnerability in REXML. (CVE-2008-3790) (Closes: #497610) -- Daigo Moriwaki Tue, 02 Sep 2008 22:11:34 -0400 ruby1.9 (1.9.0.2-5) unstable; urgency=low [ Lucas Nussbaum ] * Because of make's dependency handling on phony targets after the addition of the watch in 1.9.0.1-4, parse.o was rebuilt three times during the build process. Build it only once, which should reduce the build time significantly. [ Daigo Moriwaki ] * RubyGems did not work completely due to a gem_relude mechanism . This issue has been fixed. (Closes: #492206) - debian/patches/201_gem_prelude.dpatch - debian/rules -- Daigo Moriwaki Thu, 31 Jul 2008 00:54:00 +0900 ruby1.9 (1.9.0.2-4) unstable; urgency=low * Modified computing of arch_name to cope with armel. This was broken because of the change for lpia. We are now using the same code as ruby1.8's debian/rules. Closes: #490663. * Cleaned up debian/rules to use DEB_HOST_* instead of DEB_BUILD_*. -- Lucas Nussbaum Sun, 13 Jul 2008 16:30:24 +0200 ruby1.9 (1.9.0.2-3) unstable; urgency=low * Updated 102_skip_test_copy_stream.dpatch to also ignore test_copy_stream_socket. -- Lucas Nussbaum Sat, 12 Jul 2008 16:12:53 +0200 ruby1.9 (1.9.0.2-2) unstable; urgency=low * applied debian/patches/103_array_c_r17570_to_r17756.dpatch: - fixed an integer overflow bug. -- Daigo Moriwaki Wed, 09 Jul 2008 00:06:50 +0900 ruby1.9 (1.9.0.2-1) unstable; urgency=high * New upstream release. * debian/generated-incs/*.inc: updated. They were created directly from the source using ruby1.8. * Fixed vulnerability: arbitrary code execution vulnerability and so on (Closes: #487239) * debian/watch: supported the version numbering of the upstream. * removed patches that the upstream has applied: - debian/patches/800_parse_shebang_in_usascii.dpatch - debian/patches/801_too_strict_encoding_check.dpatch - debian/patches/802_hash_compare_by_identity.dpatch - debian/patches/803_syntaxerror_irb_bug.dpatch - debian/patches/804_debug.rb_is_bloken.dpatch - debian/patches/805_webrick_file_access_vulnerability.dpatch * removed patches since this package no longer provides rubygems. - debian/patches/910_gem_prelude.dpatch - debian/patches/911_default_gem_path.dpatch - debian/patches/913_disable_update_system.dpatch - debian/patches/917_avoid_ioseek.dpatch - debian/patches/918_tighter_search_regex.dpatch * Added debian/patches/101_parse_rb.dpatch: RDoc might have failed to parse. * Added debian/patches/102_skip_test_copy_stream.dpatch: skip a test -- Daigo Moriwaki Sat, 21 Jun 2008 16:02:58 +0900 ruby1.9 (1.9.0.1-5) experimental; urgency=low * The gem1.9 package is removed. Use rubygems1.9 instead. -- Daigo Moriwaki Sun, 08 Jun 2008 22:58:14 +0900 ruby1.9 (1.9.0.1-4) experimental; urgency=low * Improved 919_common.mk_tweaks.dpatch: outputs the result of "ps" on a regular basis, so the build doesn't timeout on slow arches like mips(el). * Move gem1.9 to a seperate package. This is necessary because gem1.9 requires rdoc1.9 (see https://bugs.launchpad.net/ubuntu/+source/ruby1.9/+bug/228345 ), so there are two solutions: - keep gem1.9 in ruby1.9, and merge back rdoc1.9. This cause people interested in running ruby apps (not developing ruby scripts) to install lots of unnecessary stuff. - move rubygems to a separate package. -- Lucas Nussbaum Sat, 24 May 2008 11:25:34 +0200 ruby1.9 (1.9.0.1-3) experimental; urgency=low * Add uname and /proc/cpuinfo output to the build log. * Added 919_common.mk_tweaks.dpatch: build more verbosely. Needed to avoid a timeout on mips(el). * Added 904_linux_target_os.dpatch from Ubuntu. Robustifies check for target_os. * debian/rules: Improved substitutions in arch_name (also from Ubuntu). -- Lucas Nussbaum Sat, 17 May 2008 18:04:13 +0200 ruby1.9 (1.9.0.1-2) experimental; urgency=low * Build with -O2 everywhere by default. * Upload to experimental to see how things work out. -- Lucas Nussbaum Wed, 07 May 2008 15:45:40 +0200 ruby1.9 (1.9.0.1-1) unstable; urgency=low [ akira yamada ] * new upstream snapshot 1.9.0-1. * debian/generated-incs/*: updated. * applied some bug fix patches: - 800_parse_shebang_in_usascii: [ruby-dev:33955] --encoding affects script encoding - 801_too_strict_encoding_check: [ruby-dev:33966] remove too strict encoding check - 802_hash_compare_by_identity: [ruby-dev:33989] Hash#compare_by_identity breaks commutativity of Hash#== - 803_syntaxerror_irb_bug: [ruby-dev:33991] SyntaxError should not be considered as IRB bug - 804_debug.rb_is_bloken: [ruby-dev:33992] debug.rb causes NoMethodError - 805_webrick_file_access_vulnerability: fixes vulnerbility of WEBrick which is described at - 900_ri_pager: updated. [ Lucas Nussbaum ] * debian/control: Added myself to Uploaders:. * debian/control: Added Homepage and Vcs-* fields. * added 909_update_lib_README.dpatch, backported from ruby1.8. * Improved description of ruby1.9-dev. * No longer build using gcc-4.1 on m68k. Use the default gcc version. (Closes: #463294) * debian/control: bumped Standards-Version to 3.7.3. No changes needed. * added watch file. [ Daigo Moriwaki ] * debian/control: - imporoved the description for libopenssl-ruby1.8. - ruby1.9-dev now depends on libc6-dev. -- Lucas Nussbaum Fri, 07 Mar 2008 17:35:14 +0100 ruby1.9 (1.9.0.0-2) unstable; urgency=low * Added debian/patches/910_gem_prelude.dpatch: changed the default rubygems home directory in prelude as well. (Closes: #458620) -- Daigo Moriwaki Wed, 02 Jan 2008 18:09:03 +0900 ruby1.9 (1.9.0.0-1) unstable; urgency=low [Akira Yamada] * new upstream version, 1.9.0-0. (closes: #457519, #446220) * added manpages for gem1.9 and rake1.9. * debian/generated-incs/*.inc: updated by files in upstream tarball. * debian/patches/801_update_sample_README.dpatch: removed. * debian/patches/903_skip_base_ruby_check.dpatch: updated. * debian/NEWS, debian/README.Debian: updated. [Daigo Moriwaki] * supported rubygems that has been merged with the upstream. I imported files and changes from libgems-ruby1.8_1.0.1.deb package. - added debian/patches/911_default_gem_path.dpatch - added debian/patches/913_disable_update_system.dpatch - added debian/patches/918_tighter_search_regex.dpatch - added debian/patches/917_avoid_ioseek.dpatch - added debian/libruby1.9.postrm.in - debian/patches/00list: applied above changes. - debian/README.Debian: added a note for rubygems - debian/libruby1.9.postinst.in: script to remove a cache file. - debian/rules: applied above changes. -- akira yamada Wed, 26 Dec 2007 12:46:09 +0900 ruby1.9 (1.9.0+20071225-1) unstable; urgency=low * new upstream snapshot. (r14640) * updated debian/generated-incs/* files. -- akira yamada Tue, 25 Dec 2007 10:49:38 +0900 ruby1.9 (1.9.0+20071016-1) unstable; urgency=high * new upstream snapshot. (r13713) - fixed CVE-2007-5162. - fixed illegal instructions at runtime on sparc. (closes: #366444) Thanks to Lucas Nussbaum. * updated debian/generated-incs/* files. * debian/rules: fixed wrong arch_name for arm-linux-gnueabi. (closes: #445433) Thanks to Riku Voipio. * debian/ruby1.9-elisp.emacsen-startup: uses "\\\\'" for ignore newlines in filenames. (closes: #446180) Thanks to Trent W. Buck. * debian/control: added Daigo Moriwaki to uploaders and removed Akira Tagoh from uploaders. -- akira yamada Thu, 18 Oct 2007 09:36:36 +0900 ruby1.9 (1.9.0+20070910-1) unstable; urgency=low * new upstream snapshot. (r13426) * debian/rules: added -g option to CPPFLAGS and CXXFLAGS. -- akira yamada Tue, 11 Sep 2007 10:46:09 +0900 ruby1.9 (1.9.0+20070830-2) unstable; urgency=low * configure.in: skip host ruby check. * debian/generated-incs/prelude.c: added. (closes: #440480) -- akira yamada Sun, 02 Sep 2007 09:20:54 +0900 ruby1.9 (1.9.0+20070830-1) unstable; urgency=low * new upstream snapshot. (r13318) (closes: #426134, #426267) * updated debian/generated-incs/* files. * added debian/patches/902_define_YAML_in_yaml_stringio.rb.dpatch. -- akira yamada Thu, 30 Aug 2007 13:53:44 +0900 ruby1.9 (1.9.0+20070606-1) unstable; urgency=low * new upstream snapshot. (2006-06-06) * updated debian/generated-incs/* files. -- akira yamada Wed, 06 Jun 2007 11:58:24 +0900 ruby1.9 (1.9.0+20070526-1) unstable; urgency=low * new upstream snapshot. (2006-05-26) -- akira yamada Sat, 26 May 2007 21:02:58 +0900 ruby1.9 (1.9.0+20070523-1) unstable; urgency=low * new upstream snapshot. (2006-07-23) * added debian/generated-incs/* files: They are are generated by "make incs". Updating these files is needed when the source is updated. (Closes: #425607) -- akira yamada Wed, 23 May 2007 13:21:02 +0900 ruby1.9 (1.9.0+20070521-1) unstable; urgency=low * new upstream snapshot. (2006-07-21) (Closes: #414856, #388344) -- akira yamada Mon, 21 May 2007 14:00:19 +0900 ruby1.9 (1.9.0+20060609-1) unstable; urgency=low * new upstream snapshot. (2006-06-09) * configure with -fno-strict-aliasing (Bug#370553) * rdoc1.9 suggests graphviz (Bug#339524) * debian/copyright: added a note for using libopenssl-ruby1.9. (Bug#367024) * debian/README.Debian: updated. (Closes: #344294) * added debian/patches/802_mkconfig.dpatch -- akira yamada Thu, 13 Jul 2006 22:43:47 +0900 ruby1.9 (1.9.0+20060423-4) unstable; urgency=low * reverted to 1.9.0+20060423-3. - 1.9.0+20060423-3.1 is not enough to fix the probleam and - 1.9.0+20060423-3.1 ignores dpatch :-< -- akira yamada Thu, 7 Jul 2006 22:44:23 +0900 ruby1.9 (1.9.0+20060423-3.1) unstable; urgency=low * Non-maintainer upload. * Make mkconfig.rb understand autoconf >2.59a's new way of doing config.status; it inserts #|_!!_|# into the sed lines temporarily, then removes them at the end. Since mkconfig.rb only parses these lines instead of executing the entire sed script, it has to remove #|_!!_|# by itself. This fixes FTBFS with newer autoconf. (Closes: #373953) -- Steinar H. Gunderson Sun, 25 Jun 2006 16:05:24 +0200 ruby1.9 (1.9.0+20060423-3) unstable; urgency=low * akira yamada - debian/control, debian/rules: uses gcc-4.1 for m68k. (Closes: #360745) -- akira yamada Tue, 25 Apr 2006 23:00:39 +0900 ruby1.9 (1.9.0+20060423-2) unstable; urgency=medium * akira yamada - debian/rules: CFLAGS=-O0 for avoiding a bug of gcc-4.0 on m68k. (Closes: #360745) -- akira yamada Tue, 25 Apr 2006 12:46:34 +0900 ruby1.9 (1.9.0+20060423-1) unstable; urgency=low * akira yamada - new upstream snapshot. (2006-04-23) -- akira yamada Sun, 23 Apr 2006 18:14:31 +0900 ruby1.9 (1.9.0+20050921-1) unstable; urgency=high * akira yamada - new upstream snapshot. (2005-09-21) - [security] JVN#62914675 CVE-2005-2337 - preserve safe level in the environment where a method is defined. - prohibit calling tainted method (>2) when $SAFE == 0. - removed debian/patches/802_workaround_for_send.dpatch: - the patch is in upstream. - debian/control: build-depends on libreadline5-dev. (closes: #326333) -- akira yamada Wed, 21 Sep 2005 13:16:19 +0900 ruby1.9 (1.9.0+20050902-1) unstable; urgency=high * akira yamada - new upstream snapshot. (2005-09-02) - [security] preserve safe level in the environment where a method is defined. - added debian/patches/802_workaround_for_send.dpatch: - workaround for changed behavior of __send__. [ruby-dev:26935] -- akira yamada Fri, 2 Sep 2005 15:21:10 +0900 ruby1.9 (1.9.0+20050727-1) unstable; urgency=low * akira yamada - new upstream snapshot. (2005-07-27) - removed debian/patches/803_runruby.rb_loadpath.dpatch: - the patch is in upstream source. -- akira yamada Wed, 3 Aug 2005 19:56:18 +0900 ruby1.9 (1.9.0+20050623-2) unstable; urgency=high * akira yamada - debian/rules: supported to build with dpkg-dev_1.13. (ref: ) - changed arch-name for Ruby to i486-linux from i386-linux because DEB_BUILD_GNU_TYPE is changed to i486-linux-gnu from i386-linux. - (urgency high) used -linux instead of -linux-gnu for paths in debian/*.files. (ref: Bug#315566) - added patches/902_extra_search_path.patch: - temporally added "/usr/local/lib/site_ruby/1.8/i386-linux" and "/usr/lib/ruby/1.8/i386-linux" as extra search paths to Ruby on ix86 arch. - added debian/NEWS. -- akira yamada Wed, 29 Jun 2005 23:53:01 +0900 ruby1.9 (1.9.0+20050623-1) unstable; urgency=high * akira yamada - new upstream snapshot. - (urgency high) fixed arbitrary command execution on XMLRPC server. [ruby-core:5237] (see: CAN-2005-1992, Bug#315064) - added debian/patches/803_runruby.rb_loadpath.dpatch: - runruby.rb should require rbconfig.rb in source directory. (it is for make install-doc.) -- akira yamada Thu, 23 Jun 2005 20:33:03 +0900 ruby1.9 (1.9.0+20050412-4) unstable; urgency=low * akira yamada - debian/rules: CFLAGS=-O0 is for ia64 not for i386. -- akira yamada Sun, 17 Apr 2005 03:30:22 +0900 ruby1.9 (1.9.0+20050412-3) unstable; urgency=high * akira yamada - debian/rules: fixed wrong filename conversion. (closes: #304809) - debian/libruby1.9.*.in: should not be empty. -- akira yamada Sat, 16 Apr 2005 01:44:05 +0900 ruby1.9 (1.9.0+20050412-2) unstable; urgency=high * akira yamada - debian/rules: binary-install/ should contain dh_movefiles only, because "debian/rules binary-arch" cannot create some directories. -- akira yamada Fri, 15 Apr 2005 06:47:44 +0900 ruby1.9 (1.9.0+20050412-1) unstable; urgency=low * akira yamada - uploaded to Debian. (closes: #256004) -- akira yamada Wed, 13 Apr 2005 18:06:34 +0900 ruby1.9 (1.9.0+20050412-0+1) unstable; urgency=low * akira yamada - initial packaging. -- akira yamada Wed, 13 Apr 2005 07:28:16 +0900